The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.
top NEWS stories this week
- Ukraine and Russia. The latest cyber updates on the situation in Ukraine.
- New phishing campaigns. Monzo, OpenSea, and Microsoft Teams become targets of new phishing campaigns.
- Raids in Ukraine. Ukrainian police launch a series of raids targeting a phishing group.
- Hive decrypted. The Hive ransomware master key is retrieved using a flaw in its encryption.
- Mergers & acquisitions in the underworld. Ransomware group Conti takes control of TrickBot.
1. Cyber updates on the Ukrainian situation
- On 23 February 2022, Ukraine faced its third wave of cyber attacks this year. These included distributed denial of service (DDoS) attacks, which rendered websites of several Ukrainian government agencies and banks inaccessible, as well as data-wiping attacks against Ukrainian organisations using the malware HermenticWiper. HermenticWiper has also been discovered on machines in Lithuania and Latvia belonging to contractors working for the Ukrainian Government.
- Following Russia’s aggression towards Ukraine, and concerns that sanctions against Russia may provoke retaliation, various government elements from the US, UK, and Australia warned their domestic citizens and organisations that Russia poses an increased cyber threat.
- The UK Defence Secretary announced that the UK is ready to launch retaliatory cyber attacks on Russia if UK networks are targeted. In the US, President Biden was presented with cyber attack options that the US could launch against Russia to disrupt the state’s ability to sustain military operations in Ukraine.
- Following Russia’s military invasion of Ukraine on 24 February 2022, the hacktivist group Anonymous declared cyberwar against Russia and disabled multiple Russian government websites and the state-controlled news organisation, Russia Today.
SO WHAT?Russia may launch retaliatory cyber attacks on states imposing sanctions against them. Although most such attacks would likely target government entities, private organisations providing key infrastructure may also be targeted. Such organisations should take particular care to collectively harden their security posture and monitor their systems for suspicious activity.
2. New phishing campaigns
- A new SMS-based phishing campaign targeting customers of the online banking service Monzo has appeared. Targets are initially sent a text message purporting to be from Monzo encouraging them to click through to a false Monzo landing page that harvests any credentials submitted. If a victim completes all fields on the page, the threat actor has enough information to take control of the victim’s Monzo account.
- Investors in NFTs (non-fungible tokens) held on the NFT marketplace OpenSea were targeted with a phishing attack that imitated communications from OpenSea. As a result, NFTs with a collective estimated value of USD 2 million were stolen. The attacks came as Microsoft warned of emerging phishing threats relating to blockchain technology.
- Microsoft Teams has become a new phishing attack vector with threat actors attaching malware to Teams chats from compromised Teams accounts.
SO WHAT?Organisations should provide staff with regular training on how to identify phishing messages and conduct occasional simulated phishing tests to identify potential areas for improvement.
3. Ukrainian police move against cyber criminalsThe Ukrainian cyber police launched a series of raids targeting alleged members of a Ukraine-based phishing group. The group is thought to be responsible for stealing bank card details from more than 70,000 people and causing financial damage of an estimated USD 175,000. According to the cyber police unit, five alleged group members were arrested, and USD 70,000 in cash was seized alongside computers, mobile phones, and bank cards.
SO WHAT?Successful raids like these should be celebrated, but phishing attacks are still a common method of compromise for attackers and defending against this threat should remain a priority for organisations.
4. The Hive ransomware master key is retrievedResearchers retrieved a master decryption key for Hive ransomware by exploiting a vulnerability in the malware’s encryption algorithm. The master key allows for data encrypted with Hive ransomware to be decrypted without requiring the attacker’s private key. Hive emerged in June 2021 and has claimed hundreds of victims since then. Currently, there is no publicly available decryption tool.
SO WHAT?Ransomware developers, like legitimate software developers, are not immune from bugs and vulnerabilities. Those affected by Hive ransomware should watch out for a possible decryptor that could help to recover encrypted files.
5. Mergers and acquisitionsAccording to researchers, the ransomware group Conti has acquired the TrickBot malware operation. TrickBot has been a prominent tool in the cyber criminal world since 2016, providing threat actors access to machines infected with the malware. Although TrickBot developers initially partnered with multiple cyber criminal gangs, by the end of 2021, Conti was the only beneficiary of the malware. Conti now also controls the malware BazarBackdoor, a stealthier version of TrickBot.
SO WHAT?Conti has been a growing threat since they first appeared at the end of 2019. Now with full control of TrickBot and BazarBackdoor, this trend looks set to continue.